b'Audit Report\n\n\n\n\nOIG-13-022\nManagement Letter for the Audit of the Office of D.C. Pensions\xe2\x80\x99\nFiscal Years 2012 and 2011 Financial Statements\nDecember 10, 2012\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                           W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF                              December 10, 2012\nINSPECTOR GENERAL\n\n\n\n\n            MEMORANDUM FOR NANCY OSTROWSKI, DIRECTOR\n                           OFFICE OF D.C. PENSIONS\n\n            FROM:                 Michael Fitzgerald\n                                  Director, Financial Audits\n\n            SUBJECT:              Management Letter for the Audit of the\n                                  Office of D.C. Pensions\xe2\x80\x99 Fiscal Years 2012 and 2011\n                                  Financial Statements\n\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Office of D.C. Pensions\xe2\x80\x99 (ODCP) Fiscal Years 2012 and 2011 financial\n            statements. Under a contract monitored by the Office of Inspector General, KPMG\n            LLP, an independent certified public accounting firm, performed an audit of the\n            financial statements of ODCP as of September 30, 2012 and 2011, and for the\n            years then ended. The contract required that the audit be performed in accordance\n            with generally accepted government auditing standards; applicable provisions of\n            Office of Management and Budget Bulletin No. 07-04, Audit Requirements for\n            Federal Financial Statements, as amended; and the GAO/PCIE Financial Audit\n            Manual.\n\n            As part of its audit, KPMG LLP issued and is responsible for the accompanying\n            management letter that discusses a matter involving internal control over financial\n            reporting and its operation that was identified during the audit but was not required\n            to be included in the auditors\xe2\x80\x99 reports.\n\n            In connection with the contract, we reviewed KPMG LLP\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where KPMG LLP did not comply, in all material respects, with generally\n            accepted government auditing standards.\n\n            Should you have any questions, please contact me at (202) 927-5789 or a member\n            of your staff may contact Shiela Michel, Manager, Financial Audits,\n            at (202) 927-5407.\n\n            Attachment\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\n\n\n\n\nDecember 7, 2012\n\n\nInspector General, U.S. Department of the Treasury, and\nDirector, Office of D.C. Pensions:\n\nIn planning and performing our audit of the consolidated financial statements of the U.S. Department of the\nTreasury\xe2\x80\x99s Office of D.C. Pensions (the ODCP), as of and for the year ended September 30, 2012, in\naccordance with auditing standards generally accepted in the United States of America, the standards\napplicable to financial audits contained in Government Auditing Standards, issued by the Comptroller\nGeneral of the United States; and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit\nRequirements for Federal Financial Statements, as amended, we considered the ODCP\xe2\x80\x99s internal control\nover financial reporting (internal control) as a basis for designing our auditing procedures for the purpose\nof expressing our opinion on the consolidated financial statements but not for the purpose of expressing an\nopinion on the effectiveness of the ODCP\xe2\x80\x99s internal control. Accordingly, we do not express an opinion on\nthe effectiveness of the ODCP\xe2\x80\x99s internal control.\nDuring our audit, we noted a certain matter involving internal control and other operational matters that is\npresented for your consideration. This finding and recommendation, which has been discussed with the\nappropriate members of management, is intended to improve internal control or result in other operating\nefficiencies and is summarized in Appendix A to this report.\nIn addition, we identified certain deficiencies in internal control over financial reporting that we consider\ncollectively to be a significant deficiency, and communicated them in writing as Exhibit I to the\nIndependent Auditors\xe2\x80\x99 Report on Internal Control Over Financial Reporting to management and those\ncharged with governance on December 7, 2012.\nOur audit procedures are designed primarily to enable us to form an opinion on the consolidated financial\nstatements, and therefore may not bring to light all weaknesses in policies or procedures that may exist. We\naim, however, to use our knowledge of the ODCP\xe2\x80\x99s organization gained during our work to make\ncomments and suggestions that we hope will be useful to you. The ODCP\xe2\x80\x99s response to our finding and\nrecommendation is included in Appendix A. We did not audit the ODCP\xe2\x80\x99s response and, accordingly, we\nexpress no opinion on it. Appendix B presents the status of the prior year management letter comments.\nWe would be pleased to discuss this comment and recommendation with you at any time.\nThis communication is intended solely for the information and use of the ODCP\xe2\x80\x99s management, the U.S.\nDepartment of the Treasury\xe2\x80\x99s Office of Inspector General, OMB, the U.S. Government Accountability\nOffice, and the U.S. Congress, and is not intended to be and should not be used by anyone other than these\nspecified parties.\nVery truly yours,\n\n\n\n\n                               KPMG LLP is a Delaware limited liability partnership,\n                               the U.S. member firm of KPMG International Cooperative\n                               (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0c                                                                                              Appendix A\n                                  U.S. Department of the Treasury\n                                       Office of D.C. Pensions\n                                FY 2012 Management Letter Comment\n\n\n\nStrengthen the Process for Documenting Review of Audit Logs\n\nDuring our review of the ODCP STAR audit log review control, we noted that the STAR_Daily_Checklist\nwas not completed for 51 days during the period October 1, 2011 through September 11, 2012, as the\nprimary STAR administrator was out on leave.\n\nOffice of DC Pensions System to Administer Retirement (STAR) System Security Plan states:\n\n        \xe2\x80\x9c15.4.3.6 AU-6: Audit Monitoring, Analysis, and Reporting\n        STAR administrators review the results from the audit logs daily. If need be, the administrator can\n        modify the results to include more or less information.\xe2\x80\x9d\n\nBureau of the Public Debt, Office of Information Technology, Division of Technical Services, DC\nPensions Application and Technical Services Branch STAR Auditing and Logs (a reference document\nwhich supports AU-6) states:\n\n\xe2\x80\x9cDCP STAR Daily Checklist\n      The system administrators (SA) will annotate the STAR_DAILY_Checklist.xls on a daily basis.\n      The checklist will annotate at a minimum who performed the check the date and that the following\n      checks were done by the SA for all the servers; Verify successful backup, percent of file system\n      available, PS/Oracle processes, database archive, production transfer, virus definitions, HP-UX\n      syslog file, Windows event logs. This checklist will be monitored by the System Manager on a\n      Monthly basis. This process will be followed to ensure that audit records are reviewed in a timely\n      manner for unauthorized activity\xe2\x80\x9d\n\nODCP\xe2\x80\x99s inability to support their review of audit logs could potentially prohibit management from being\nable to identify previous security incidents or inappropriate or unusual activity.\n\nRecommendation\n\nWe recommend that ODCP establish a formal process to ensure STAR audit logs are monitored and\nreviewed daily.\n\nManagement\xe2\x80\x99s Response\n\nSTAR audit logs are monitored and reviewed daily with 24 hour monitoring from the Bureau of Fiscal\nServices\xe2\x80\x99 24 hour operations center. The STAR Auditing and Logs document has been updated to reflect\nthe use of the 24 hour monitoring center\n\n\n\n\n                                                   A-1\n\x0c                                                                                      Appendix B\n\n                              U.S. Department of the Treasury\n                                   Office of D.C. Pensions\n                      Status of Prior Year Management Letter Comments\n\n\n\n    Prior Year                         Prior Year                              Status as of\n    Deficiency                      Recommendation                          September 30, 2012\n\nImprove              We recommend that ODCP:\n                                                                          Closed\ncompliance with\nTreasury Directive   1. Update the STAR Account Management Policy\nPublication 85-01       and Procedures Manual to be in accordance\n                        with the TD P 85-01; and\n\n                     2. Implement a process to monitor compliance\n                        with updated Treasury Directive Publications\n                        and other Federal requirements on a more\n                        frequent basis.\n\nImprove Annuitant    We recommend that ODCP:\n                                                                          Closed\nRecordkeeping\n                     1. Work with DCRB to ensure they are in\n                        compliance     with     the    Recordkeeping\n                        requirement as specified in MOU Concerning\n                        Interim Benefit Administration of Retirement\n                        Programs dated September 26, 2005, section\n                        4.5; and\n\n                     2. Take appropriate steps to inform DCRB\n                        management of the importance of the\n                        preservation, maintenance, and monitoring of\n                        annuitant files at DCRB by requesting DCRB to\n                        implement a file tracking system to include the\n                        person with custody of annuitant files,\n                        secondary review, file scanning and quality\n                        review processes.\n\n\n\n\n                                              B-1\n\x0c'